Fireware 12.0.1 General Availability
We are pleased to announce the General Availability (GA) of Fireware 12.0.1 and WSM 12.0.1 today, along with updates for the Access Point firmware. These releases provide fixes for many reported issues and include some significant security updates. Key highlights:

Does this release pertain to me?
The Fireware release applies to all Firebox T, Firebox M, and XTM appliances, except XTM 21/21-W, 22/22-W, or 23/23-W, which are now End of Life (EOL), and XTM 505, 510, 520, and 530 which are EOL in December of this year.

AV Signatures in 11.x releases
Previously WatchGuard had announced that we would discontinue support for AV signatures for the older AVG engine in Fireware 11.x by January 2018. This support will now be extended until April 2018.

Software Download Center
Firebox and XTM appliance owners with active support subscriptions can obtain this update without additional charge by downloading the applicable packages from the WatchGuard Software Download Center.

Contact
For Sales or Support questions, you can find phone numbers for your region online. If you contact WatchGuard Technical Support, please have your registered appliance Serial Number or Partner ID available.

Source: WatchGuard

http://firedot.nl/wp-content/uploads/2017/08/logo-firedot-zologic-300x113.png00Fireboss7102http://firedot.nl/wp-content/uploads/2017/08/logo-firedot-zologic-300x113.pngFireboss71022017-10-31 23:09:312017-10-31 23:09:31Fireware 12.0.1 is now available

This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: Botnet, Exploit kit, Malicious Applications, Malspam, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Evasive Sage 2.2 Ransomware Variant Targets More Countries (October 29, 2017)
Fortinet researchers have published information regarding a new variant of the “Sage” ransomware, dubbed “Sage 2.2.” This variant is distributed via spam emails with malicious JavaScript attachments that will download Sage 2.2. The malware will still not infect some machines if certain languages are detected, however, this variant uses a new privilege escalation technique not seen in previous variants. The added privilege allows the malware to encrypt files located in a protected folder. The actors behind the campaign request $2,000 USD in bitcoins for the decryption key. Furthermore, this variant has added more languages to its ransom note in order to infected additional users in more countries.Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and tested backup solution in place for the unfortunate case of ransomware infection.Tags: Spam, Ransomware, Sage 2.2

Vulnerability Spotlight: Apache OpenOffice Vulnerabilities (October 26, 2017)
Three new vulnerabilities have been found in the open source office suite “Apache OpenOffice,” according to Cisco Talos researchers. The first vulnerability is located within “OpenOffice Write,” the second in the “Draw” application, and the third in the “Writer” application. The vulnerable version is Apache OpenOffice 4.1.3.Recommendation: Your company should have policies in place to monitor all software that is used to ensure that the most current and secure version is implemented. It is critical that the latest security patches be applied as soon as possible to the web browser used by your company. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches because the vulnerabilities are often posted to open sources where any malicious actor could attempt to mimic the techniques that are described.Tags: Vulnerability, Apache OpenOffice

AmosConnect: Maritime Communications Security Has Its Flaws (October 26, 2017)
IOActive researchers have published information discussing two critical vulnerabilities found “AmosConnect” software. Specifically, AmosConnect 8, which is a platform designed to work in a maritime environment in combination with satellite equipment. The vulnerabilities include the ability to perform SQL injection to return passwords that were stored in plain text and the presence of a privileged backdoor account. If a maritime vessel did not segment their network configurations, a threat actor may find an exposed network via the internet scanning tool “Shodan,” and access the systems via a satellite link.Recommendation: Researchers state that these vulnerabilities pose a serious risk because they could potentially allow actors to steal sensitive data, take over a server completely, or even pivot within the vessel network. If the network is segmented, researchers state that the vulnerabilities can only be exploited by an actor with access to the IT systems network.Tags: Vulnerabiltiy, AmosConnect 8

Malvertising Campaign Redirects Browser to Terror Exploit Kit (October 25, 2017)
Security researchers warn that some “Quit Smoking” and “20 Minute Fat Loss” advertisements are part of a malvertising campaign. Some of these advertisements, when clicked on, are directing users to landing pages that host the “Terror” exploit kit. Terror was first identified in early 2017, and this campaign was found to have increased in malicious activity beginning on September 1 and last through October 23, 2017. The Terror exploit kit is targeting two vulnerabilities in CVE-2016-0189 (scripting engine memory corruption vulnerability) and CVE-2014-6332 (flaw in Windows OLE that can lead to remote code execution). Researchers state that this campaign is currently attempting to infect user with the “Smoke Loader” malware that gives actors remote control over an infected machine.Recommendation: Malvertising and exploit kits techniques are often updated by threat actors, therefore, keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities.Tags: Malvertising, Exploit Kit, Malware

SnatchLoader Reloaded (October 25, 2017)
Arbor Networks researchers have published new information regarding the downloader malware called “SnatchLoader.” The malware was first discovered in January 2017, but went dormant for a few months before recently being observed again. The malware is being delivered via spam emails. SnatchLoader is currently being used to distribute the “Ramnit” banking trojan. Researchers found that SnatchLoader is using “geo-IP blocking” to ensure that machines located only in certain regions will be infected. At the time of this writing, this campaign is at least targeting the U.K. and Italy.Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.Tags: Malware, SnatchLoader

Multiple Ransomware Infections Reported (October 24, 2017)
The U.S. Computer Emergency Readiness Team (CERT) has issued an alert regarding numerous infections of a ransomware strain dubbed “Bad Rabbit.” Bad Rabbit is suspected to be a variant of the “NotPetya” ransomware. The threat actors request 0.05 bitcoins (approximately $273 USD). As of this writing, the actors behind the campaign are unknown. The U.S. CERT discourages anyone from paying the ransom because it does not guarantee that access will be restored to an infected machine.Recommendation: The U.S.-CERT states that using unpatched and unsupported software may increase the threat and risk of this ransomware. They also ask users to report ransomware incidents to the Internet Crime Complaint Center (IC3).Tags: Alert, Ransomware, Bad Rabbit

New Ransomware “Bad Rabbit” Spreading Quickly Through Russia and Ukraine (October 24, 2017)
On October 24, 2017, media sources and security researchers began reporting about an active ransomware campaign. The ransomware, dubbed “Bad Rabbit,” infected at least three Russian media outlets, the Kiev Metro, and others as the day progressed. The malware was spread via drive-by downloads from compromised Russian news websites which displayed fake Adobe Flash Player installers. If infected, a user will be presented with instructions in the command prompt to visit a “.onion” domain to receive further instructions. The threat actors request 0.05 bitcoins (approximately $273 USD) for the decryption key. As of the writing, the threat actors behind this campaign are unknown.Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.Tags: Ransomware, Bad Rabbit

LokiBot Android Banking Trojan Turns Into Ransomware When You Try to Remove It (October 24, 2017)
A newly discovered variant of the Android banking trojan “LokiBot” has the capability to turn into ransomware, according to SfyLabs researchers. This variant transitions from displaying fake login pages impersonating banking applications to steal credentials, to locking a user’s phone when they attempt to remove the malware’s administrator privileges. At the time of this writing, LokiBot is offered for purchase on underground markets for approximately $2,000 USD. Due to a flaw in the encryption implementation, researchers found that the ransomware feature does not actually encrypt a user’s files with AES, but rather results in the renaming of the files. However, the screen locking feature does work, and the actors demand between $70 and $100 USD to unlock the device.Recommendation: This LokiBot variant is capable of working on Android version 4.0. The malware must run with administrator privileges, which it requests upon installation, for example, by hiding in an application in the Google Play store or third-party store. Users should carefully read the permission an application will request prior to installation. It can also be useful to read the comments regarding the application to identify potential issues. Furthermore, trusted antivirus applications should also be run on mobile devices. The screen locking is able to be disabled by booting the device into “Safe Mode” and removing LokiBot’s admin user and the infected application.Tags: Android, Mobile, Malicious applications, Malware, LokiBot

Fake Cryptocurrency Trading Apps on Google Play (October 23, 2017)
ESET researchers have found that Android users are being targeted with malicious applications, specifically, users of the cryptocurrency exchange “Poloniex.” Two malicious applications were identified in the Google Play store to be impersonating Poloniex, which is one of the world’s leading cryptocurrency exchanges. One of the malicious applications, “POLONIEX,” was downloaded approximately 5,000 times between August 28 and September 19, 2017. The second application, “POLONIEX COMPANY,” was downloaded approximately 500 times after it first appeared on Google Play on October 15, 2017. When launched, the applications present a screen impersonating Poloniex to steal user credentials, and then will request the user to sign in with their Google account to steal more credentials.Recommendation: Google has since removed the two applications mentioned in this story. Researchers note that if a user is using two-factor authentication, he/she will be unaffected if the malicious applications were downloaded. Additionally, always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.Tags: Android, Mobile, Malicious applications

Reaper: Calm Before the IoT Security Storm (October 23, 2017)
Security experts have discovered a new Internet of Things (IoT) botnet, called “IoTroop” and/or “Reaper.” Check Point researchers claim that this massive botnet, which already consists of millions of compromise IoT devices, may have the potential to take down the entire internet. Researchers note that this botnet is evolving and recruiting at a far greater pace than the Mirai botnet of 2016.Recommendation: This botnet is actively infecting IoT devices such as IP Wireless Cameras to increase the impact of a possible Distributed Denial-of-Service (DDoS) attack. While the motives of threat actors behind IoTroop remains unclear as of this writing, this story serves as crucial evidence regarding the importance of securing IoT devices. All IoT devices, particularly IP wireless cameras in this case, should be secured by changing the default credentials. Actors are often able to create botnets, or compromise devices simply because a user did not change the default username and password.Tags: Botnet, IoT, Reaper

Source: Honeypot Tech

http://firedot.nl/wp-content/uploads/2017/08/logo-firedot-zologic-300x113.png00Fireboss7102http://firedot.nl/wp-content/uploads/2017/08/logo-firedot-zologic-300x113.pngFireboss71022017-10-31 14:00:002017-10-31 14:00:00WTB: LokiBot Android Banking Trojan Turns Into Ransomware When You Try to Remove It

Since writing that post my router has generated millions of logs that have been ingested by Anomali Enterprise (thankfully still no major threats). As a new “threat analyst” for my families home network I’ve learned a number of things along the way, especially the challenges and frustrations when it comes to performing security investigations.

In the interest of sharing my knowledge to the community I wanted to highlight a few things I’ve come up against, and the what I’ve found most useful.

New threats <= active threats?

Knowing a new threat has been observed is good. Knowing where a threat is in the Kill Chain can is much more useful. By giving you knowledge of where the threat is in the process of achieving it’s objective allows you to not only defend against it, but understand the context of activity of the threat prior to it becoming known.

Threat intelligence products are great at identifying threats as they happen. For example, Anomali ThreatStream integrations with SIEM products — Arcsight, QRadar, or Splunk to name a but few — can identify log data against threat intel on new logs flowing into each product.

However, this only answers the first of the three questions I’d want to ask as an analyst once a threat has been identified;

Is our network impacted/compromised? What’s our exposure?

How widespread is the impact? How far back does it go?

Which specific assets are impacted?

As threats, by their very nature, are reported after-the-fact, there can often be a delay, sometimes weeks, before it is shared. When a threat is identified, it is vitally important to know what its behaviour and what it has potentially breached in the days it was left unreported.

Big data, big numbers

Considering the data from my home network alone from the previous blog posts the calculations required lead to some big numbers:

100,000 logs per day x 1 year of data x 10 indicators = 365,000,000

That’s three hundred sixty-five million calculations that need to be performed for just one investigation!

At enterprise scale the 0’s dramatically increase:

1 billion logs per day x 365 days x 3 years of data = 10 trillion (10,000,000,000,000) matches need to be performed, for one investigation!

Existing security log repositories (I’m using Splunk) are not designed to process queries against such large volumes of historic data. Not only are they limited by the ability to process archived data but often the cost of storing such data means much of it is filtered, and thus impossible to forensically search against.

How Anomali Enterprise helped me (answer questions 2 & 3)

It was not just me suffering some of these pains, our own security team here at Anomali experienced these problems day-in-day-out. In search of a solution we built Anomali Enterprise. Some of the functional and design goals of the product included:

The ability to store years of log data online even from highly noisy sources e.g DNS traffic — trillions of logs (without filtering what gets stored due to costs)

The ability to analyse these logs against millions of threat indicators in seconds — not minutes, hours, days, or even weeks (both in real-time and retrospectively)

The ability for analysts to be more effective, more efficient, and more accurate in detecting and remeditating threats (better worflows for threat intel)

It’s all about time-to-resolution

Analysts want to focus on the most serious threats, not more threats in their already never-ending workload. Anomali Enterprise helps me to do this by automatically comparing threat indicators — domains, URLs, emails, file-hashes etc. — against new and historic data from all devices in my home network. I can see what has been compromised, when it was comprimised and if the threat made any lateral movement. Within an hour of malware being identified (as in the previous post), I can assess the damage, detected affected assets, and take measures to secure them.

Overview

On October 24, 2017, security firms and media organization began reporting about an active ransomware campaign that, as of this writing, has primarily targeted entities in Russia and Eastern Europe. The infections are believed to have initiated on October 24 at approximately 12:16 UTC, evidenced by an infected company’s tweet as shown in Figure 1. The ransomware, dubbed “Bad Rabbit,” has infected a number of organizations across Russia and eastern Europe, including the Russian news agency Interfax and machines in the Kiev Metro. The Odessa International airport in Ukraine has also confirmed that it was targeted with a cyber-attack which caused delays in flights, however, it is unclear if this attack is Bad Rabbit. At the time of this writing, the threat actor/group behind this attack is unknown.

Figure 1 – Interfax News stating on Twitter that the servers have failed due to a virus attack

Bad Rabbit is believed to be a variant of the “Diskcoder” ransomware; other sources compare Bad Rabbit to the “Petya/NotPetya/ExPetr” ransomware, and possibly a new variant of Petya. The initial infection vector for the malware is believed to be conducted via compromised Russian websites (drive-by downloads), and a fake Adobe Flash Player installer (Figure 3). Additionally, the ransomware is able to propagate itself through a network via Server Message Block (SMB). If the ransomware infects a machine, the user will be presented with a ransom note with red letters on reboot. Interestingly, this is the same format used for the Petya attacks in June 2017. The actor/group requests 0.05 bitcoins (BTC) (approximately $286.29 USD) for the decryption key. Furthermore, the ransom note depicts a countdown, beginning at 40 hours, that indicates the time a user has to pay the ransom before the price increases.

Countries with Bad Rabbit Infections

Bulgaria

Germany

Russia

Turkey

Ukraine

Affected Organizations

Fontanka.ru

Interfax News

Kiev Metro

Ministry of Infrastructure of Ukraine

Odessa International Airport

Analysis

Infection Vector

It appears that the ransomware dropper was delivered by drive-by downloads on a number of compromised legitimate sites. All compromised sites were news and media websites. A pop-up displays that an update for “Adobe Flash” is available, with an install button. The dropper downloads from “http://1dnscontrol[.]com/flash_install.php”. The download is a Windows executable file with a Flash icon, as shown in Figure 2. The dropper is signed with two invalid digital certificates, masquerading as certificates issued by “Symantec Corporation” (Figure 3). Figure 4 shows some details extracted from the sample.

Figure 2 – Dropper with Flash Icon

Figure 3 – Digital Certificate used on Dropper

Figure 4 – Details for Fake Adobe Flash Player Installer

Ransomware

The dropper creates a file called “infpub.dat” in the Windows folder. This file is a DLL file which is executed by the dropper by creating the process “C:WindowsSysWOW64rundll32.exe C:Windowssystem32rundll32.exe C:Windowsinfpub.dat,#1 15”. This DLL performs most of the actions. The ransomware targets and encrypts files with the following file extensions:

Once the encryption process is finished, Bad Rabbit drops the decrypter (details from the file are shown in Figure 5) at “C:Windowsdispci.exe” and creates a scheduled task to ensure that the malware is executed when the machine is booted. The added scheduled task is shown in Figure 6. The task is created by the execution of the following command:

The ID is different for each infected machine. The task is named “rhaegal,” which is the name of one of the dragons in the television show Game of Thrones. The decrypter removes the scheduled task once it is started. This can be seen in Figure 7.

Figure 7 – The beginning of the decrypter’s Main Function

Bad Rabbit will also ensure the machine is restarted approximately 15 minutes after the infection by creating another scheduled task as shown in Figure 8. The task is added by the following command:

The timestamp is dependant on when the malware was executed. This task is named “drogon,” which is also the name of one of the dragons in Game of Thrones.

Figure 8 – Scheduled task for restarting the machine

Ransom Website

The ransom website is hosted on an “.onion” domain, specifically “caforssztxqzf2nm[.]onion,” and can only be accessed via the Tor network. It shows a colorful animation of text “decrypting” (Figure 9) which reveals instructions for a victim to enter their personal installation code given in the ransom note. After following instructions the victim will then be assigned a bitcoin wallet address to deposit the ransom money for the actors. The assigned address is also used to verify that the payment has been made and to receive a decryption password according to the instructions (Figure 10). The website was prepared at least a few days in advance of the attack because the “Last Modified” property of the “index.html” page of the hidden service is at Thursday, October 19, as shown in Figure 11.

Figure 9 – Fake text decryption animation

Figure 10 – Bad Rabbit ransom payment hidden service

Figure 11 – Last Modified property of the index.html file of the hidden service

Lateral Movement

Bad Rabbit uses DHCP to find other machines on the same subnet (Figure 12). For each IP address on the network the malware checks if the host either has port 445 or 139 open (Figure 13) by opening a network socket to the port.

Figure 12 – Bad Rabbit uses DHCP to enumerate machines on the subnet

Figure 13 – Port checking by opening sockets to port 445 and 139

If the ports are open, Bad Rabbit will try to authenticate to the machine over SMBv1 (Figure 14) using usernames and passwords it extracted from the host using “Mimikatz” and using a list of hardcoded usernames and passwords (Figure 15). Using the credentials, it tries to connect to a set of named pipes (Figure 16) and upload a file named “cscc.dat” (Figure 17). The file is executed on the remote host using IPC by calling the “svcctl” service.

Figure 17 – Writing the file to the ADMIN$ share and uses $IPC to run it

Similarity to ExPetr (NotPetya)

Bad Rabbit shares many similarities with the “ExPetr” malware that spread throughout Europe and primarily in Ukraine in late June 2017. Approximately 27% of the code in the loader of Bad Rabbit is shared with ExPetr and the Bad Rabbit payload has approximately 13% code reuse with ExPetr according to an Intezer report. The Bad Rabbit ransomware drops a file “infpub.dat,” to “C:/Windows/,” which is similar to the “perfc.dat” file dropped by ExPetr. According to Group-IB researchers, the same “vaccine” technique used to block ExPetr can also be used for Bad Rabbit to prevent the victim from getting their files encrypted, which involves creating the .dat file manually and setting to read only.

Conclusion

At the time of this writing, responders and researchers are still examining the Bad Rabbit attack. Anomali researchers will continue to stay engaged and post updates accordingly.

The intelligence in this week’s iteration discuss the following threats: APT, Malspam, Malvertising, Malware, Phishing, Targeted attacks, Ransomware, and Underground markets. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

OSX/Proton Spreading Again Through Supply-Chain Attack (October 23, 2017)
ESET researchers discovered that the software development company “Eltima Software” was unknowingly distributing malware on its official website. The website was offering malicious versions of “Elmedia Player” and “Folx” software that contained the “OSX/Proton” backdoor. The OSX/Proton backdoor is capable of stealing various forms of information from an infected machine such as browser information, operating systems details, and SSH private data, among others.Recommendation: Researchers advise that any user who downloaded Elmedia Player or Folx software on October 19, before 3:15 p.m. EDT and ran it, is likely compromised. Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.Tags: Compromised application, Backdoor, OSX/Proton

Advanced Persistent Threat Activity Targeting Energy and Critical Infrastructure Sectors (October 20, 2017)
The U.S. Computer Emergency Readiness Team (CERT) has issued a joint technical alert in collaboration with the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI). The alert discusses Advanced Persistent Threat (APT) group activity that is targeting energy and other critical infrastructure sectors. The threat actors are using open-source reconnaissance, spear phishing emails, watering-hole domains, host-based exploitation, and ongoing credential gathering. The alert points to Symantec’s report regarding the APT group “Dragonfly” for additional information concerning this ongoing campaign.Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing, and how to identify such attempts.Tags: Technical Alert, APT, Targeted attacks

Malware Delivered via Necurs Botnet by DDE Feature in Microsoft Word (October 19, 2017)
The “Necurs” botnet is actively distributing malspam in attempts to infect recipients with “Locky” ransomware. The emails are randomly generated and purport to be an invoice. This campaign takes advantage of Microsoft’s Dynamic Data Exchange (DDE) feature for its malicious documents to contact a C2 server to download the malware. The malicious documents require a user to enable macros to begin the infection process. Researchers state that this Locky version also appears to have wormlike capabilities to infect other users on the same network.Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided.Tags: Malspam, Ransomware, Locky

New Locky Ransomware Strain Emerges (October 19, 2017)
A new “Locky” ransomware strain has been found infecting users in the wild. The strain was first found on October 11, and has been dubbed “asasin” because of the “.asisin” the ransomware appends to encrypted files. Interestingly, this Locky variant will gather system information in addition to traditional ransomware functionality. The asasin variant will gather information such as IP address and the infected machine’s operating system.Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals. Additionally, this augmented version may allow actors to gather intelligence on a targeted network, and potentially discovered machines which could demand a higher price for the decryption key.Tags: Ransomware, Locky-variant, asasin

Magnitude Exploit Kit Now Targeting South Korea With Magniber Ransomware (October 18, 2017)
Trend Micro researchers have identified that the “Magnitude” exploit kit is distributing a new ransomware called “Magniber.” The threat actors behind this campaign are using malvertisements on actor-owned websites to target South Korean users with ransomware. Magniber will only fully execute if the installed language on the machine is identified to be Korean.Recommendation: Malvertising and exploit kits in general are being developed and improved constantly by cybercriminals, so keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities. Furthermore, in the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.Tags: Malvertising, Magnitude EK, Ransomware, Magniber

New Attacker Scanning for SSH Private Keys on Websites (October 18, 2017)
Threat actors are actively conducting scanning operations that with objecting of finding private SSH keys. Some researchers speculate that this sudden spike in scanning activity could be caused by a bug or perhaps a common operational mistake made by WordPress administrators. Actors are looking for SSH keys in web directories where such a key would be stored, such as “root,” “ssh,” or “id_rsa.” This scanning activity is reported to have begun on October 16, 2017.Recommendation: Ensure that your company stores SSH keys in private locations, and do not copy a private key to the remote server that is being logged in to. SSH keys can also be protected with passwords for another layer of protections. Additionally, WordPress administrators should avoid storing their SSH keys in directories mentioned above to avoid these scanning attacks.Tags: Threat actor, SSH key, Scanning, Theft

Android Malware on Google Play Adds Devices to Botnet (October 18, 2017)
Symantec researchers discovered eight applications in the Google Play store that are infected with “Sockbot” malware. The applications, which are themed around the game “Minecraft,” were downloaded between 600,000 to 2.6 million times. The malware appears to be primarily targeting Android users in U.S. Researchers believe that the malware could be used to launch Distributed Denial-of-Service (DDoS), and the flexible proxy topology could be used to exploit network vulnerabilities. Google has since removed the malicious applications.Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.Tags: Mobile, Android, Malware, Malicious applications

New Malicious Macro Evasion Tactics Exposed in URSNIF Spam (October 18, 2017)
A new malspam campaign is targeting users with “URSNIF” malware, according to Trend Micro researchers. In this campaign, the actors behind the URSNIF malware are using Microsoft Office file attachments with malicious macros to deliver the malware. The attachments are using the “AutoClose” feature will begin when a malspam recipient closes the attachment and run malicious a Powershell script to download and execute the malware.Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.Tags: Malspam, Malware, URSNIF

Opening Hacker’s Door (October 17, 2017)
Cylance researchers have found that the Remote Access Trojan (RAT) called “Hacker’s Door” has reappeared in active investigations after being dormant since 2004-2005. The RAT was signed with a stolen certificate that is known to be used by the Advanced Persistent Threat (APT) group “Winnti.” The RAT is comprised of a backdoor and rootkit that, once installed, is capable of multiple remote commands including: downloading additional files, extracting Windows credentials from the current session, and gathering system information, among others.Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, ensure that your company’s firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. The reappearance of this tool is evident of threat groups going back to previous malicious tools after a period of inactivity. Therefore, it is important to be aware of malicious tools used by threat groups because it can sometimes indicate which actor/group may be responsible for the attack.Tags: Malware, RAT, Hacker’s Door, APT, Winnti

ATM Malware is Being Sold on Darknet Market (October 17, 2017)
Two strains of ATM malware have been identified to being offered for purchase on an underground forum for $5,000 USD, according to Kaspersky Lab researchers. The malware specifically targets a certain, unnamed vendor’s ATM. The offer was discovered on “AlphaBay,” and has since been removed by the Federal Bureau of Investigation, however, it is possible that the malware was purchased prior to being removed. The forum post explains what kind of ATM’s are affected by the malware, and provides a manual that explains how to force an ATM to empty its cash.Recommendation: ATM security relies on the same type of preventative measures as all others, because they are a unique type of computer. In the case of a confirmed infection, the ATM must be taken offline until it can be completely wiped and restored to its original factory settings. An audit of the transactions performed on the ATM should occur along with a formal incident response investigation.Tags: ATM, Malware, Underground markets

Dangerous Ransomware Arriving as Fraudulent Eir Bill Email (October 17, 2017)
A new phishing has been discovered to be targeting customers of the Irish telecommunications company, “Eir,” according to ESET researchers. The emails purport to be from Eir and claims that the recipient’s bill is available and provides a link to view the fake invoice. If the link is clicked, it will download what appears to be a zipped file, but is actually an obfuscated JavaScript file. The zipped file will infect a user with the “Filecoder” ransomware if opened.Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and tested backup solution in place for the unfortunate case of ransomware infection.Tags: Phishing, Ransomware

Lenovo Quietly Patches Massive Bug Impacting Its Android Tablets and Zuk, Vibe Phones (October 17, 2017)
On October 5, 2017, Lenovo quietly issued four patches to address vulnerabilities that affect all of their Android tablets, Vibe and Zuk phones, as well as the Moto M and Moto E3 handsets. The vulnerabilities are tied to the “Lenovo Service Framework” (LSF). Successful exploitation could allow a threat actor to execute arbitrary code remotely.Recommendation: Your company should regularly check the software you use in everyday business practices to ensure that everything is always up-to-date with the latest security features. Using the automatic update feature is a good mediation step to ensure that your company is always using the most recent version.Tags: Vulnerabilities, Remote code execution

BlackOasis APT and New Targeted Attacks Leveraging Zero-day Exploit (October 16, 2017)
Kaspersky Lab researchers have discovered that the Advanced Persistent Threat (APT) group, “BlackOasis,” is leveraging a zero-day vulnerability (CVE-2017-11292) that affects Adobe Flash. BlackOasis exploited the vulnerability with malicious geopolitically-themed Word documents that contain an ActiveX object, which contains the Flash exploit. Opening of the Word document can lead to successful exploitation and result in the user being infected with “FinSpy” malware.Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing, and how to identify such attempts. Additionally, all employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service like Box or Dropbox.Tags: Targeted attacks, APT, BlackOasis

Taiwan Heist: Lazarus Tools and Ransomware (October 16, 2017)
BAE researchers have published their findings regarding a cyber theft from a commercial firm in Taiwan of approximately $195,000 USD. The targeted firm, “Far Eastern International Bank” (FEIB) in Taiwan, had its network breached with malware that are known to be used by the Advanced Persistent Threat (APT) group called “Lazarus Group.” Researchers believe that Lazarus Group may have used a rare ransomware family called “Hermes” to distract the IT staff of FEIB while the theft of funds was occurring.Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing, and how to identify such attempts.Tags: Breach, Theft, APT, Lazarus Group

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Locky Tool Tip
Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.Tags: Locky, Ransomware

Firedot Highlight Reports

Getting threat intelligence into your existing security products – SIEMs, endpoints, network tools — can significantly enhance their effectiveness. Here at Anomali we understand the value of product integrations, so much so that my entire job is to manage the 30+ we currently offer. Recently we launched a feature that allows you to create your own threat […]

The intelligence in this week’s iteration discuss the following threats: Compromised server, Cryptocurrency miner, Data theft, Malspam, Phishing, Targeted attacks, Underground markets, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity. Trending Threats Olympic Destroyer Takes Aim At Winter […]

In our last post, we talked about how companies can use the concept of a No-Fly list to keep malicious actors out of their networks. So how does a cyber No-Fly list work in a real situation? We spoke with one of our customers, Alaska Airlines, about how they make the most of threat intelligence […]

My name is Teddy Powers. I have worked for Anomali (formerly ThreatStream) for almost the last three years and it’s been one of the best experiences of my life. But if you looked at my résumé or LinkedIn, much like anyone else, you’d do a double take. How in the world did he score a […]

North Korea, or more formally, the Democratic People’s Republic of North Korea (DPRK), is no stranger to international headlines. Most notably, it has captured attention in recent years for its nuclear testing and ballistic missile launches. Events in the cyber landscape have brought negative attention to North Korea as well. The United States officially blamed […]